Defending Against Industroyer with ICS Anomaly Detection

Defending Against Industroyer with ICS Anomaly Detection

This article was updated on October 10, 2019.

Recent industrial security news has focused on Industroyer (also known as CrashOverride or Win32/Industroyer). Not since Stuxnet has the world seen an advanced malware that was designed and deployed to disrupt physical infrastructure, notably power grids. Industroyer is believed to have been used in attacks on Ukraine that took place on December 17, 2016 that shut down electrical power to a large area of its capital city, Kiev.

Industroyer employs industrial communication protocols used worldwide in power supply infrastructure to directly control electricity substation switches and circuit breakers. It is concerning because it uses protocols in the way they were designed to be used, making it, at a high level, hard to detect and mitigate. Furthermore, it is designed as a toolset with configurable payloads, which, in the hands of a capable attacker, could be adapted for multiple environments.

Fortunately, advanced ICS intrusion detection is available that would both identify this type of malware’s presence and help protect against its impacts. Let’s examine the phases of the Industroyer campaign and how anomaly detection and rule capabilities work together to defend against this threat.

The Three Main Phases of the Industroyer Malware Campaign

Like other advanced persistent threats Industroyer goes through multiple steps to achieve its goals. It’s main three phases are:

Phase 1 – Infection

In this phase Industroyer is not specific to ICS. It establishes itself on a network and uses backdoors to beacon out to an external Command and Control Sever (C&C). Once contact has been made, commands from the C&C direct Phases 2 and 3 of the attack.

Phase 2 – Discovery

Industroyer works to learn about the network and control system of the infected power grid, sending commands using four standard industrial protocols. It maps the host environment and identifies key targets, enabling the threat actors to design an attack tailored to harm a specific environment.

Phase 3 – Attack

In this phase the malware can directly control the switches and circuit breakers of substations in its host environment. Once it has achieved its objective, a Data Wiper module makes machines unusable and helps cover the tracks of the attackers.

Industroyer / CrashOverride Mitigation and Remediation

Nozomi Networks Guardian utilizes a layered approach of anomaly detection and rule analysis to quickly discover Industroyer at all three of its attack phases.

1. Anomaly Detection

Anomaly detection is a foundational capability of Guardian. It involves the product’s ability to learn normal network and process behavior and detect suspicious activity. During Phase 1, Guardian would identify that Industroyer was trying to connect to a public IP address and generate an alarm that would be visible on dashboards and in email alerts.

Phase 2 is when Industroyer engages in the learning that is critical for achieving its objective. Guardian excels here by quickly identifying any changes in standard communication behavior.

For example, it would detect unusual OPC traffic as Industroyer uses it to scan all devices on the network. It would also identify systems leveraging the protocols that have not done so before, and new networks flows using them. This gives the ICS practitioner the opportunity to implement remediation actions immediately.

Because of alerts provided in Phases 1 and 2, ideally action would be taken that would prevent Phase 3.  However, if the attack does proceed to this level, Guardian would assist by rapidly detecting irregular commands to switches or circuit breakers. This would allow security or operations staff to implement new firewall rules to stop further attack commands.

Alternatively, through integration with a firewall such as Fortinet’s FortiGate, once Guardian detects nefarious commands, it can automatically trigger the implementation of rules that block the attack.

2. Yara Rules

Yara rules is a repository of malware samples that has been built by an open community of global IT researchers. Guardian embeds this knowledge into its platform, allowing it to learn and advance as fast as the collective body does. At this time, Guardian includes five Yara rules that identify specific files associated with Industroyer in phases 1 and 3. If these files are identified on a network, alarms are generated.

3. Assertions

Assertions are a rule building and querying capability in Guardian that allow the detection of data and specific events parsed from a stream of network traffic. They are an adaptive way to recognize subtle changes in device behavior and they allow operators to be as proactive as possible in a changing threat landscape. Assertions could be used in Phases 1 and 3 to identify Industroyer.

The use of assertions, in combination with Guardian’s anomaly detection and Yara rules, is a powerful way for ICS practitioners to identify and mitigate advanced threats like Industroyer.

Improving ICS Cyber Security with Anomaly Detection and Rules

Increasing cyber threats from malware like Industroyer are driving power generation, substation and electric grid operators to improve the resiliency of their systems with enhanced ICS cyber security programs and strategies. When considering how to prevent and improve remediation of advanced malware attacks, know that comprehensive intrusion detection is included in Guardian.

Its anomaly detection identifies increased or variable usage of the specific protocols appropriated by Industroyer as compared to baselines established for an environment. It also identifies systems leveraging these protocols that have not done so before, and identifies new networks flows using them.

Yara rules are embedded into Guardian and can be leveraged to provide a high level of confidence regarding Industroyer infection and may be more reliable than using other indicators of compromise (IOCs).

Finally, the product’s assertions capability gives operators of power systems a powerful, flexible and fast way to check data flows for unusual traffic and irregular behavior.

To help you defend your systems against Industroyer / CrashOverride, two resources are available: